c9ff03f2a3302b8e58a3dd63f9f2da82c50b3eaeb351c35c643e02fe04e0bd96

Analysis

max time kernel
142s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4f5d4ccf2d855a9a28c67ec73d3f1cd_JaffaCakes118.exe
Size

702KB
MD5

b4f5d4ccf2d855a9a28c67ec73d3f1cd
SHA1

abb9d0fea74215af1a9b4dec91be8e92d2231196
SHA256

c9ff03f2a3302b8e58a3dd63f9f2da82c50b3eaeb351c35c643e02fe04e0bd96
SHA512

6ed1ad06ef3e075a083bed3d0d8fab861508d72b0904d1753e38fdbd531eec2158e8e325fe184c36d3d0bb2e74de679f8ab961283774d1a65011295f80740d30
SSDEEP

12288:VW5+IvjwJeBbj5lgUw0FVeEqagXwZs7zQ1F9IutH1LKKO1JVCTj29hxX:I7vjw2bkGVqagXwZgzQ1PJtJKvVCPghB

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2932	ok.exe
2764	4.exe
2792	Hacker.com.cn.exe

Loads dropped DLL 4 IoCs

pid	Process
2424	cmd.exe
2424	cmd.exe
2932	ok.exe
2932	ok.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ok.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	4.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	4.exe
File created	C:\Windows\uninstal.bat	4.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacker.com.cn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4f5d4ccf2d855a9a28c67ec73d3f1cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{22FF631F-9759-4079-B847-5A52125836E9}	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-98-f6-20-7b-45\WpadDecisionTime = 70b5a8b6e742db01	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-98-f6-20-7b-45	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-98-f6-20-7b-45\WpadDecisionReason = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-98-f6-20-7b-45\WpadDecision = "0"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{22FF631F-9759-4079-B847-5A52125836E9}\WpadDecisionReason = "1"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{22FF631F-9759-4079-B847-5A52125836E9}\WpadNetworkName = "Network 3"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{22FF631F-9759-4079-B847-5A52125836E9}\ea-98-f6-20-7b-45	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ce000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{22FF631F-9759-4079-B847-5A52125836E9}\WpadDecisionTime = 70b5a8b6e742db01	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{22FF631F-9759-4079-B847-5A52125836E9}\WpadDecision = "0"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	4.exe
Token: SeDebugPrivilege	2792	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2792	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2424	1684	b4f5d4ccf2d855a9a28c67ec73d3f1cd_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2424	1684	b4f5d4ccf2d855a9a28c67ec73d3f1cd_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2424	1684	b4f5d4ccf2d855a9a28c67ec73d3f1cd_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2424	1684	b4f5d4ccf2d855a9a28c67ec73d3f1cd_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2932	2424	cmd.exe	30
PID 2424 wrote to memory of 2932	2424	cmd.exe	30
PID 2424 wrote to memory of 2932	2424	cmd.exe	30
PID 2424 wrote to memory of 2932	2424	cmd.exe	30
PID 2932 wrote to memory of 2764	2932	ok.exe	31
PID 2932 wrote to memory of 2764	2932	ok.exe	31
PID 2932 wrote to memory of 2764	2932	ok.exe	31
PID 2932 wrote to memory of 2764	2932	ok.exe	31
PID 2792 wrote to memory of 2540	2792	Hacker.com.cn.exe	33
PID 2792 wrote to memory of 2540	2792	Hacker.com.cn.exe	33
PID 2792 wrote to memory of 2540	2792	Hacker.com.cn.exe	33
PID 2792 wrote to memory of 2540	2792	Hacker.com.cn.exe	33
PID 2764 wrote to memory of 3020	2764	4.exe	34
PID 2764 wrote to memory of 3020	2764	4.exe	34
PID 2764 wrote to memory of 3020	2764	4.exe	34
PID 2764 wrote to memory of 3020	2764	4.exe	34
PID 2764 wrote to memory of 3020	2764	4.exe	34
PID 2764 wrote to memory of 3020	2764	4.exe	34
PID 2764 wrote to memory of 3020	2764	4.exe	34

C:\Users\Admin\AppData\Local\Temp\b4f5d4ccf2d855a9a28c67ec73d3f1cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4f5d4ccf2d855a9a28c67ec73d3f1cd_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\\ok.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\ok.exe
    C:\Users\Admin\AppData\Local\Temp\\ok.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\uninstal.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3020

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat

Filesize
150B

MD5
5edd682a8b1f2bf873300774f954ab03

SHA1
2cca4e743d02dbccf31b784ea26a60c03dcc9637

SHA256
a34c51ec5d2ac66ef75719e7dee61b6e89e74d054712438da2585ec92ce0865a

SHA512
916f0e846a38f63aae996e2a3957fa24fed3bcaa6add68c529e3cc0aa063dca49b98d42c92317bfc2f43d745c492e1e1e6f5db0c986b9682f4b9b0cf0afd7bd2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
788KB

MD5
3dc6231ebad5ef94e62c45d6be4ccd35

SHA1
d69237f429b1d812acdaab2ff406a8e073f6cce7

SHA256
212ef7a094d01955af45ea3ebcd5dfc231112c53e6ccb3e17bb40a382a8e7730

SHA512
0953c0d830ae6b0bad38a2749b49fee451ced3f4607035bd7aa8018ca246cc7ec63f46db63ce61b5c04f45cc08bd64731ffef4e02d3051b9553c0493bcb201d7

Download Submit
\Users\Admin\AppData\Local\Temp\ok.exe

Filesize
639KB

MD5
9312d3fb482a9be8b7fe7cdf5c6d5efc

SHA1
257074e547ef64aea5d8c9e56d564eda1dbeaa98

SHA256
5068a1fd614886b98378c1abd589406575a91a667bc261212e67dc1f1c01c2f8

SHA512
99284af5194326b863d62eb1192d0aff2bd725c9a953478e95b571c1c6c454d6c9569ffe78cdb4888b15c0afaa3782337b9c056bb8dc272f3738cb1428783ba8

Download Submit
memory/1684-1-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2424-6-0x0000000000890000-0x0000000000996000-memory.dmp

Filesize
1.0MB

Download
memory/2424-8-0x0000000000890000-0x0000000000996000-memory.dmp

Filesize
1.0MB

Download
memory/2764-67-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2764-51-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2792-72-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2792-57-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2932-21-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2932-14-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2932-31-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-30-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-29-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-28-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-27-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-26-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-25-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-24-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-23-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-22-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-33-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-20-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2932-19-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/2932-18-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2932-17-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-16-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/2932-15-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/2932-32-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-13-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2932-12-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2932-11-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2932-10-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2932-9-0x00000000001B0000-0x0000000000200000-memory.dmp

Filesize
320KB

Download
memory/2932-34-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-35-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-36-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-49-0x0000000002A00000-0x0000000002ACF000-memory.dmp

Filesize
828KB

Download
memory/2932-44-0x0000000002A00000-0x0000000002ACF000-memory.dmp

Filesize
828KB

Download
memory/2932-37-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-56-0x0000000001000000-0x0000000001106000-memory.dmp

Filesize
1.0MB

Download
memory/2932-38-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-39-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2932-70-0x0000000001000000-0x0000000001106000-memory.dmp

Filesize
1.0MB

Download
memory/2932-69-0x00000000001B0000-0x0000000000200000-memory.dmp

Filesize
320KB

Download
memory/2932-7-0x0000000001000000-0x0000000001106000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads